This document outlines how Written Medicine processes personal data when integrated within NHS Trusts, Integrated Care Boards (ICBs), and community pharmacy settings. It is designed to assist Data Protection Officers (DPOs) and Caldicott Guardians in conducting Data Protection Impact Assessments (DPIAs) and updating their transparency materials.
Written Medicine is a specialist Software as a Service (SaaS) platform that automates the translation and transcription of medication instructions into accessible formats. We help healthcare providers meet the Accessible Information Standard (AIS) and comply with UK/EU patient safety regulations by providing:
Bilingual Dispensing Labels: Accurate translations in 10+ languages.
Multimodal Instructions: High-quality pictograms for low-literacy support and audio instructions for the visually impaired.
Clinical Documentation: A4 medication summary sheets, MAR charts, and discharge summaries.
Verified Content: Mapped links to vetted, third-party health information.
Note: The system is a communication aid; it does not perform clinical diagnosis, drug-interaction checks, or automated profiling.
When deployed in NHS or community pharmacy settings:
The Data Controller: The NHS organisation, GP surgery, or Community Pharmacy remains the Data Controller.
The Data Processor: Written Medicine (DrugInfo Ltd) acts as the Data Processor.
All processing is conducted strictly under documented instructions from the Controller via a legally binding Data Processing Agreement (DPA). Written Medicine does not determine the purpose or lawful basis for processing.
To generate legally compliant and patient-specific instructions, the platform processes a limited set of personal data, which may include Special Category Data.
| Data Type | Examples |
|---|---|
| Identifiers | Patient Name, Date of Birth, Gender. |
| Clinical Identifiers | NHS Number or local Hospital/Pharmacy ID. |
| Accessibility Needs | Preferred language, literacy requirements (pictogram use), or visual impairment (audio requirement). |
The Data Controller determines the lawful basis. Under UK and EU GDPR, these typically include:
Article 6(1)(e): Public task (for NHS bodies).
Article 6(1)(c): Legal obligation (for pharmacies dispensing under the Medicines Act).
Article 9(2)(h): Provision of health or social care (processing by health professionals).
Written Medicine is built with "Privacy by Design" at its core to meet NHS Data Security and Protection Toolkit (DSPT) and Cyber Essentials standards.
Hosting: Data is hosted exclusively within the United Kingdom (AWS UK Region).
Encryption: All data is encrypted using TLS 1.2+ in transit and AES-256 at rest.
Access Control: Strict Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) are mandatory for all administrative access.
Audit Logging: Comprehensive logs are maintained to ensure accountability and traceability.
Written Medicine adheres to the NHS Records Management Code of Practice. Data is retained only for as long as specified by the Controller’s instructions. Upon contract termination or the expiry of the retention period, data is securely deleted in accordance with industry standards.
Written Medicine uses the following sub-processor to maintain the platform:
Amazon Web Services (AWS UK Region): Cloud infrastructure and storage.
Note: All audio generation and translation processing occur within our secure UK-based environment to ensure data remains within the jurisdiction.
Individuals wishing to exercise their rights (Access, Rectification, Erasure, Restriction) should contact their healthcare provider (the Data Controller) directly. As the Processor, Written Medicine provides the technical tools to enable the Controller to fulfill these requests promptly.
For product-related data protection enquiries or to request our latest DSPT self-assessment, please contact:
Data Protection Lead: Ghalib Khan
Email: ghalib@writtenmedicine.com
Website: www.writtenmedicine.com
